Smartphones from a major Chinese manufacturer have a security flaw that was deliberately introduced and allows hackers full control of the device.

The “CoolReaper” backdoor was found in the software that powers at least 24 models made by Coolpad, which is now the world’s sixth-biggest smartphone producer according to Canalys.

The flaw allows hackers or Coolpad itself to download and install any software onto the phones without the user’s permission.

“The operator can simply uninstall or disable all security applications in user devices, install additional malware, steal information and inject content into the users device in multiple ways,” according to a report on the malware by security firm Palo Alto Networks (Pan).

‘It’s possible that over 10m users have been affected’

The backdoor may not have been installed by Coolpad, but by hackers who had broken into the company’s systems. However, Pan found that the phone’s Android operating systems had been modified to hide the malware from the user and security programs.

Pan also found that the server remotely controlling the malware on the phones was owned by Coolpad.

In China, Coolpad outsells Apple and Samsung and is beaten only by Xioami and Lenovo with 11.5% of the smartphone market, according to IDC data.

Coolpad sold 37.2m smartphones in 2013 and is targeting 60m phones worldwide in 2014.

Pan said: “The known impact of CoolReaper thus far is limited to China and Taiwan, but Coolpad’s position in the market and global expansion plans mean this backdoor presents a threat to Android users all over the world.

“We do not know how many Coolpad devices contain the CoolReaper backdoor. Considering that CoolReaper appears to have been developed and embedded into 24 phone models in the last 12 months, and the Coolpad sales targets published by IDC, it’s possible that over 10m users have been affected.”

Pan also found vulnerabilities in the backdoor that would let hackers take control of the flaw, even if Coolpad was not using it for malicious reasons.

The biggest problem is that users are powerless to do anything about the flaw, short of modifying the operating system. They may also be unaware that their data such as personal data, credit card information and logins and passwords was being stolen.